Hacker News new | comments | show | ask | jobs | submit login
Ask HN: What encryption programs do you use?
8 points by josephriley 1469 days ago | hide | past | web | 6 comments | favorite
Recently I've been trying to secure almost everything on my company's computers/employee's computers.

I was wondering if you guy's have any recommendations on file encryption; and what encryption software do you use/trust?

Encryption software is not something to be trusted; it's use is to be regarded as a necessary evil, likely to fail without warning, and prone to catastrophic failures in two modes; that of being completely ineffective and that of being all too effective. People are not good at Key Management, and if you ever think that you have learned how to be good at Key Management, that is the day that you will screw it up royally.

That said.

1. Generate private keys on a host that is fully disconnected from the network using an OS image dedicated to that purpose.

2. Make backups, on paper, keep them in separate locations, take reasonable precautions to make sure that root keys are recoverable. Be aware of how this compromises your security, and what tripwires and alarms you need to have in place to deal with those vulnerabilities.

3. Do create intermediate signing keys, you shouldn't need to open the vault to create an email alias or process a new hire.

4. Do re-key on a schedule. Do not generate fresh keys ahead of time.

5. You are not MI-6 or the NSA, you will screw it up. Have a plan for when that happens.

Use full-disk encryption (TrueCrypt for Windows, LUKS for Linux, softraid crypto for OpenBSD, etc.) File-based encryption is too hard to get wrong - are you sure that your editor didn't write an unencrypted copy to disk and deleted it immediately after?

GnuPG on OSX and I use it mostly via Emacs. PGP would probably be a good choice for some companies since it relies on a concept called the "web of trust."

LUKS/dm-crypt for file system encryption on Linux

Encfs and Truecrypt for encrypted file stores

GnuPG for encrypted files and email

Enigmail to integrate GnuPG with Thunderbird

TrueCrypt is good and quite common.

Thanks for the insight!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact